wheatley/kubernetes
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions

fix: Sec correct rbac resources

Browse source
This commit is contained in:
Peter 2026-04-06 17:58:28 +02:00
parent 4bfb8be326
commit b65ec8e109
Signed by: Peter
SSH key fingerprint: SHA256:B5tYaxBExaDm74r1px9iVeZ6F/ZDiyiy9SbBqfZYrvg
1 changed files with 5 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

23
k8s-peterg/argo-workflows/values.yaml
View file

@ -275,28 +275,15 @@ extraObjects:
kind: ServiceAccount
metadata:
name: admin-user
namespace: argo-workflows
annotations:
# The rule is an expression used to determine if this service account
# should be used.
# * `groups` - an array of the OIDC groups
# * `iss` - the issuer ("argo-server")
# * `sub` - the subject (typically the username)
# Must evaluate to a boolean.
# If you want an account to be the default to use, this rule can be "true".
# Details of the expression language are available in
# https://expr-lang.org/docs/language-definition.
workflows.argoproj.io/rbac-rule: "'admin' in groups"
# The precedence is used to determine which service account to use when
# Precedence is an integer. It may be negative. If omitted, it defaults to "0".
# Numerically higher values have higher precedence (not lower, which maybe
# counter-intuitive to you).
# If two rules match and have the same precedence, then which one used will
# be arbitrary.
workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
workflows.argoproj.io/rbac-rule-precedence: "1"
- apiVersion: v1
kind: ServiceAccount
metadata:
name: read-only
namespace: argo-workflows
annotations:
workflows.argoproj.io/rbac-rule: "true"
workflows.argoproj.io/rbac-rule-precedence: "0"
@ -307,7 +294,7 @@ extraObjects:
subjects:
- kind: ServiceAccount
name: admin-user
namespace: argocd-workflows
namespace: argo-workflows
roleRef:
kind: ClusterRole
name: argo-workflows-admin
@ -319,7 +306,7 @@ extraObjects:
subjects:
- kind: ServiceAccount
name: read-only
namespace: argocd-workflows
namespace: argo-workflows
roleRef:
kind: ClusterRole
name: argo-workflows-view